Tidyflow Tidyflow Logo

Data Processing Addendum

Last updated March 3, 2026

This Data Processing Addendum ("DPA") forms part of the Tidyflow Terms of Service and applies where Tidyflow processes Personal Data on behalf of a customer.

1. Definitions

Customer means the entity or individual using the Tidyflow Service.

Tidyflow means the provider of the Service.

Personal Data means any information relating to an identified or identifiable individual that is processed through the Service.

Customer Data means all data submitted to or stored within the Service by Customer.

Applicable Data Protection Laws means, as applicable: (a) the General Data Protection Regulation (EU) 2016/679 ("EU GDPR"); (b) the UK General Data Protection Regulation and the Data Protection Act 2018 ("UK Data Protection Laws"); and (c) any other applicable data protection or privacy legislation.

2. Roles of the Parties

For Personal Data included in Customer Data:

  • Customer acts as the Data Controller (or equivalent under Applicable Data Protection Laws).
  • Tidyflow acts as the Data Processor, processing Personal Data solely on behalf of Customer.

Tidyflow does not determine the purposes or means of processing Customer Data.

3. Scope of Processing

Tidyflow processes Personal Data only:

  • To provide and maintain the Service
  • To support Customer requests
  • To ensure system security and reliability
  • As otherwise instructed by Customer through use of the Service

The categories of Personal Data processed depend on what Customer chooses to upload and may include names, contact details, financial information, and documents.

Processing occurs primarily in the United States.

4. Confidentiality

Tidyflow ensures that personnel authorized to process Personal Data:

  • Are bound by confidentiality obligations
  • Receive appropriate security awareness training
  • Have access limited to what is necessary to perform their role

5. Security Measures

Tidyflow implements appropriate technical and organizational measures designed to protect Personal Data, including:

  • Encryption in transit (TLS) and at rest.
  • Role-based access controls
  • Multi-factor authentication support
  • Logical tenant isolation between customer accounts
  • Restricted internal access to production systems
  • Regular system updates and security monitoring

Further details are available on the Tidyflow Security page.

6. Sub-processors

Tidyflow may engage trusted third-party service providers ("Sub-processors") to support the Service.

Tidyflow:

  • Enters into written agreements with Sub-processors
  • Requires Sub-processors to implement appropriate data protection safeguards
  • Remains responsible for Sub-processor compliance with this DPA

A current list of Sub-processors is available on the Tidyflow Sub-processors page.

7. International Transfers

Tidyflow's primary infrastructure and data storage are located in the United States. For transfers of Personal Data from the United Kingdom or European Economic Area to the United States, Tidyflow relies on the UK Extension to the EU-US Data Privacy Framework and/or the EU-US Data Privacy Framework, as applicable, under which Tidyflow's sub-processors are self-certified. Where the Data Privacy Framework does not apply or ceases to provide a valid transfer mechanism, Tidyflow will implement an alternative lawful transfer mechanism, such as the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses, as appropriate.

8. Supervisory Authority

The competent supervisory authority shall be determined by reference to the Customer's establishment. For UK-based Customers, the competent supervisory authority is the Information Commissioner's Office (ICO).

9. Assistance with Data Subject Requests

To the extent required by Applicable Data Protection Laws, Tidyflow will provide reasonable assistance to Customer in responding to requests from individuals exercising their data protection rights, including rights of access, rectification, erasure, restriction, portability, and objection.

10. Data Retention and Deletion

Customer Data is retained for the duration of the subscription.

Upon termination of the Service:

  • Customer may request export of Customer Data within a reasonable period.
  • Customer Data will be securely deleted in accordance with Tidyflow's internal retention policies, unless retention is required by law.

11. Audits

Upon reasonable written request, Tidyflow may provide information necessary to demonstrate compliance with this DPA.

Tidyflow may satisfy audit requests through documentation, certifications, or written responses.

12. Governing Terms

This DPA is governed by the same law and jurisdiction as the Tidyflow Terms of Service.

In the event of conflict between this DPA and the Terms of Service, this DPA shall control with respect to data protection matters.